oss-sec mailing list archives

Re: please verify unusual x.509 constraints are handled

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Wed, 27 Jun 2012 15:39:51 +0200

Tavis Ormandy wrote:

List, just an FYI, I've noticed a Korean CA appears to always set the cA
bit in the X.509 basicContraints, then uses pathLenConstraint and
keyUsage bits to restrict the results.
[...]
While arguably the X.509 specifications permit this, I find it hard to
believe that these bits are checked consistently by all implementations.
AFAICT, GnuTLS does not check these constraints, but OpenSSL does.


One thing I always wonder when x509 certificates come into play is
where to draw the line between missing feature and vulnerability.

cu
Ludwig

--
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

Current thread:

please verify unusual x.509 constraints are handled Tavis Ormandy (Jun 27)
- Re: please verify unusual x.509 constraints are handled Ludwig Nussel (Jun 27)
  - Re: please verify unusual x.509 constraints are handled Tim (Jun 27)